SM
Uploaded bySylvain Martinez
PDF, PPTX971 views

INCIDENT RESPONSE OVERVIEW

This document provides an overview of incident response procedures, including the incident response life cycle of detection, categorization, containment, investigation, remediation, reporting, and learnings. It outlines roles and responsibilities, communication processes, and generic response playbooks. Resources for incident response frameworks and standards are also referenced.

Technology
Related topics:
Cyber-Security
In this document
Powered by AI

Introduction to incident response, its goal, and the management framework needed for effective response.

Overview of the incident response lifecycle: detection, categorization, containment, investigation, remediation, reporting, and learnings.

Guidelines for incident handling, stressing confidentiality and coordination while avoiding engagement with threats.

Key elements in detection, including who reported the threat, its validity, and detection method.

Assessment during categorization, identifying the target, impact, and priority of the incident.

Actions for rapid incident management and containment, including threat analysis and isolating affected assets.

Details on analyzing threats, including network, malware, and user investigations to gather evidence.

Remediation techniques for network, malware, host, and user issues, leading to an incident declaration.

Establishing ongoing reporting requirements and documentation processes for incidents and evidence.

Root cause analysis and developing plans for future mitigation and improvements from past incidents.

Summary of containment and remediation actions in a structured response playbook.

References to frameworks and guidelines for incident response and security, including contact information.

Information about Elysium Security's services and expertise in cyber protection and incident response.

Embed presentation

Download as PDF, PPTX
INCIDENT RESPONSE OVERVIEW VERSION: 1.3a DATE: 27/03/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ESC15-MUSCL CLASSIFICATION: PUBLIC {elysiumsecurity} cyber protection & response
2 • Incident Response Overview; • Incident Response Life Cycle; • Rules of Engagement; • 1. Detection; • 2. Categorisation; • 3. Containment; • 4. Investigation; • 5. Remediation; • 6. Reporting; • 7. Learnings. • Generic Response Playbook; • Resources. CONTENTS PUBLIC GOING FURTHERRESPONSECONTEXT {elysiumsecurity} cyber protection & response
3 THE GOAL OF INCIDENT RESPONSE IS TO FIRST CONTAIN THE THREAT, THEN REMEDIATE IT AND RECOVER FROM IT. EFFICIENT INCIDENT RESPONSE RELIES ON ITS INCIDENT MANAGEMENT FRAMEWORK: • CATEGORIES; • ROLES; • RESPONSABILITIES; • COMMUNICATION; • COORDINATION; • PLAYBOOKS; • SIMULATIONS; • ETC. PUBLIC {elysiumsecurity} cyber protection & response INCIDENT RESPONSE OVERVIEW GOING FURTHERRESPONSECONTEXT
4 1. DETECTION 2. CATEGORISATION 3. CONTAINMENT 4. INVESTIGATION5. REMEDIATION 6. REPORTING 7. LEARNINGS PUBLIC {elysiumsecurity} cyber protection & response INCIDENT RESPONSE LIFE CYCLE GOING FURTHERRESPONSECONTEXT
5 DO NOT ENGAGE OR INTERACT WITH THE HACKER/THREAT GROUP DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION PRESERVE EVIDENCE COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL DO NOT MAKE THINGS WORSE! PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 0. RULES OF ENGAGEMENT GOING FURTHERRESPONSECONTEXT
6 WHO/WHAT DETECTED/REPORTED THE THREAT? WHAT IS THE DATE AND TIME OF THE THREAT DETECTION/REPORT? HOW WAS THE THREAT DETECTED/REPORTED? HAS A SIMILAR THREAT ALREADY BEEN REPORTED? IS THE THREAT VALID? PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 1. DETECTION GOING FURTHERRESPONSECONTEXT
7 WHO/WHAT IS THE TARGET OF THE THREAT? IS THIS AN ON GOING/LIVE THREAT? WHAT IS THE IMPACT OF THE THREAT? CATEGORISE THE PRIORITY OF THE INCIDENT (P1, P2, P3) CLASSIFY THE INCIDENT COMMUNICATION (RESTRICTED/UNRESTRICTED) PUBLIC 1 2 3 4 5 DECLARE AN INCIDENT… OR NOT! {elysiumsecurity} cyber protection & response 2. CATEGORISATION GOING FURTHERRESPONSECONTEXT
8 COORDINATE INCIDENT MANAGEMENT (TEAM, COMMS, ACTIVITIES, DOCUMENTATION) LIGHT AND QUICK THREAT ANALYSIS (NETWORK, HOST, USER) IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS (IP, PORTS, SIGNATURES, EMAIL, ETC) ISOLATE THE TARGETED ASSET (REMOVE FROM NETWORK, DISABLE ACCOUNT, ETC) IMPLEMENT EMERGENCY CHANGES AS REQUIRED (NETWORK, HOST, USER) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 3. CONTAINMENT GOING FURTHERRESPONSECONTEXT
9 THREAT NETWORK ANALYSIS (F/W, CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM) THREAT MALWARE ANALYSIS (A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING) THREAT HOST ANALYSIS (EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VA TO BE DONE, SIEM) THREAT USER ANALYSIS (INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS) THREAT RESEARCH ANALYSIS (ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 4. INVESTIGATION GOING FURTHERRESPONSECONTEXT
10 THREAT NETWORK REMEDIATION (BLOCK IP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES) THREAT MALWARE REMEDIATION (UPDATE HOST AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THAT DID NOT DETECT THE THREAT) THREAT HOST REMEDIATION (REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND DURING THE VA) THREAT USER REMEDIATION (INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT) DECLARE THE INCIDENT REMEDIATED PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 5. REMEDIATION GOING FURTHERRESPONSECONTEXT
11 ON GOING REPORTING (DOCUMENTATION AND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES) EVIDENCE GATHERING (THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE) INCIDENT DOCUMENTATION (THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE) INCIDENT REGISTER (CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS. CAN BE LINKED TO OTHER REGISTERS: RISKs/ISSUES) INCIDENT REPORT COMMUNICATION (AS REQUIRED: INTERNAL/EXTERNAL, STAFF/MANAGEMENT/BOARD, VENDORS/CLIENTS, GOVERNMENT/REGULATORS) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 6. REPORTING GOING FURTHERRESPONSECONTEXT
12 ROOT CAUSE ANALYSIS (IDENTIFY AND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR) CONTROLS AND PROCESSES READINESS (EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT) INCIDENT TRENDS ANALYSIS (ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING?) MITIGATION PLAN (MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS) IMPROVEMENTS PLAN (STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 7. LEARNINGS GOING FURTHERRESPONSECONTEXT
13 ANALYSIS PUBLIC CONTAINMENT/REMEDIATION NETWORK • BLOCK IP/PORTS/SERVICES; • BLOCK EMAIL; • CHANGE PWD MALWARE HOST • UPDATE A/V AND F/W RULES; • REMOVE MALWARE/SERVICES; • CHANGE PWD. • REMOVE SOFTWARE/PLUGIN; • UPDATE SECURITY CONFIGURATION; REMOVE SERVICES/LOCAL ADMIN. {elysiumsecurity} cyber protection & response GENERIC RESPONSE PLAYBOOK GOING FURTHERRESPONSECONTEXT
14 Forum of Incident Response and Security Teams (FIRST) FRAMEWORK (https://www.first.org/education/FIRST_SIRT_Services_Framework_Version1.0.pdf) National Institute of Standards and Technology (NIST) Special Procedure (SP) 800-61 (https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf) International Organization for Standardization (ISO) ISO/IEC 27035-1:2016 (https://www.iso.org/standard/60803.html) International Organization for Standardization (ISO) ISO/IEC 27035-2:2016 (https://www.iso.org/standard/62071.html?browse=tc) CONTACT US! (contact@elysiumsecurity.com) PUBLIC {elysiumsecurity} cyber protection & response RESOURCES GOING FURTHERRESPONSECONTEXT
{elysiumsecurity} cyber protection & response © 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.

More Related Content

PDF
INCIDENT RESPONSE NIST IMPLEMENTATION
bySylvain Martinez
 
PDF
INCIDENT RESPONSE CONCEPTS
bySylvain Martinez
 
PPTX
Incident response
byAnshul Gupta
 
PDF
Cybersecurity Incident Management Powerpoint Presentation Slides
bySlideTeam
 
PDF
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
byWAJAHAT IQBAL
 
DOCX
Cyber+incident+response+ +generic+ransomware+playbook+v2.3
byUnioGeek
 
PPTX
Phishing Incident Response Playbook
byNaushad CEH, CHFI, MTA, ITIL
 
PDF
PwC Point of View on Cybersecurity Management
byCA Technologies
 
INCIDENT RESPONSE NIST IMPLEMENTATION
bySylvain Martinez
 
INCIDENT RESPONSE CONCEPTS
bySylvain Martinez
 
Incident response
byAnshul Gupta
 
Cybersecurity Incident Management Powerpoint Presentation Slides
bySlideTeam
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
byWAJAHAT IQBAL
 
Cyber+incident+response+ +generic+ransomware+playbook+v2.3
byUnioGeek
 
Phishing Incident Response Playbook
byNaushad CEH, CHFI, MTA, ITIL
 
PwC Point of View on Cybersecurity Management
byCA Technologies
 

What's hot

PPTX
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
PPTX
MITRE ATT&CK framework
byBhushan Gurav
 
PDF
Threat Hunting
bySplunk
 
PPTX
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
PDF
Threat Intelligence
byDeepak Kumar (D3)
 
PPTX
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
PDF
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
PPSX
Next-Gen security operation center
byMuhammad Sahputra
 
PDF
Cyber Threat Intelligence
bymohamed nasri
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
PPTX
The Six Stages of Incident Response
byDarren Pauli
 
PPTX
IBM Security QRadar
byVirginia Fernandez
 
PPTX
Security Information and Event Management (SIEM)
byk33a
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
PDF
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
PPT
Penetration Testing Basics
byRick Wanner
 
PPTX
Security Information and Event Management (SIEM)
byhardik soni
 
PDF
SIEM Architecture
byNishanth Kumar Pathi
 
PPTX
DDoS ATTACKS
byAnil Antony
 
PPTX
Threat hunting - Every day is hunting season
byBen Boyd
 
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
MITRE ATT&CK framework
byBhushan Gurav
 
Threat Hunting
bySplunk
 
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
Threat Intelligence
byDeepak Kumar (D3)
 
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
Next-Gen security operation center
byMuhammad Sahputra
 
Cyber Threat Intelligence
bymohamed nasri
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
The Six Stages of Incident Response
byDarren Pauli
 
IBM Security QRadar
byVirginia Fernandez
 
Security Information and Event Management (SIEM)
byk33a
 
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
Penetration Testing Basics
byRick Wanner
 
Security Information and Event Management (SIEM)
byhardik soni
 
SIEM Architecture
byNishanth Kumar Pathi
 
DDoS ATTACKS
byAnil Antony
 
Threat hunting - Every day is hunting season
byBen Boyd
 

Similar to INCIDENT RESPONSE OVERVIEW

PDF
INTRODUCTION TO CYBER FORENSICS
bySylvain Martinez
 
PPT
cyber security incident exercises TTX .ppt
byZharfanHanif
 
PPTX
Incident Response: Validation, Containment & Forensics
byPriyanka Aash
 
PDF
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
PDF
OFFENSIVE IDS
bySylvain Martinez
 
PPTX
KSS ON CYBERSECURITY INCIDENT RESPONSE AND PLANNING MANAGEMENT.pptx
byCashmir Pangandaman
 
PDF
Cybersecurity Incident Response Planning.pdf
byCiente
 
PPTX
chapter on Incident Response Management.
bySuhail Qadir Mir
 
PPTX
INCIDENT-RESPONSE_093004 (1).pdtffyghgptx
byjess12castano
 
PPTX
Incident Response Lifecycle - Assignment 2 - Judd Nikolai Rosayaga.pptx
byMohammadRafsunIslam
 
PDF
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
PPTX
Ch2-Incident Response Process.pptxIncident Response Process
bySuhail Qadir Mir
 
PDF
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
byChris Galvan
 
PPTX
Navigating Cybersecurity Incidents in 2025
bywininlifeacademy5
 
PDF
Navigating-Cybersecurity-Incidents-in-2025.pptx.pdf
byWin In Life Academy
 
DOCX
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...
byMaoTseTungBritoSilva1
 
PDF
YBB-NW-distribution
byMike Saunders
 
PPTX
You Will Be Breached
byMike Saunders
 
PPTX
Tsc2021 cyber-issues
byErnest Staats
 
PPTX
IAEM cybersecurity 101
bySarah K Miller
 
INTRODUCTION TO CYBER FORENSICS
bySylvain Martinez
 
cyber security incident exercises TTX .ppt
byZharfanHanif
 
Incident Response: Validation, Containment & Forensics
byPriyanka Aash
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
OFFENSIVE IDS
bySylvain Martinez
 
KSS ON CYBERSECURITY INCIDENT RESPONSE AND PLANNING MANAGEMENT.pptx
byCashmir Pangandaman
 
Cybersecurity Incident Response Planning.pdf
byCiente
 
chapter on Incident Response Management.
bySuhail Qadir Mir
 
INCIDENT-RESPONSE_093004 (1).pdtffyghgptx
byjess12castano
 
Incident Response Lifecycle - Assignment 2 - Judd Nikolai Rosayaga.pptx
byMohammadRafsunIslam
 
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
Ch2-Incident Response Process.pptxIncident Response Process
bySuhail Qadir Mir
 
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
byChris Galvan
 
Navigating Cybersecurity Incidents in 2025
bywininlifeacademy5
 
Navigating-Cybersecurity-Incidents-in-2025.pptx.pdf
byWin In Life Academy
 
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...
byMaoTseTungBritoSilva1
 
YBB-NW-distribution
byMike Saunders
 
You Will Be Breached
byMike Saunders
 
Tsc2021 cyber-issues
byErnest Staats
 
IAEM cybersecurity 101
bySarah K Miller
 

More from Sylvain Martinez

PDF
DATA LOSS PREVENTION OVERVIEW
bySylvain Martinez
 
PDF
PHISHING PROTECTION
bySylvain Martinez
 
PDF
IOT Security
bySylvain Martinez
 
PDF
VIRTUAL CISO AND OTHER KEY CYBER ROLES
bySylvain Martinez
 
PDF
Mobile Security Assessment
bySylvain Martinez
 
PDF
PROGRAMMING AND CYBER SECURITY
bySylvain Martinez
 
PDF
Risk on Crypto Currencies
bySylvain Martinez
 
PDF
The Art of CTF
bySylvain Martinez
 
PDF
2019 CYBER SECURITY TRENDS REPORT REVIEW
bySylvain Martinez
 
PDF
INCIDENT HANDLING IN ORGANISATIONS
bySylvain Martinez
 
PDF
INTRODUCTION TO CRYPTOGRAPHY
bySylvain Martinez
 
PPTX
Ethical Hacking
bySylvain Martinez
 
PDF
Talk1 esc7 muscl-dataprotection_v1_2
bySylvain Martinez
 
PDF
OFFICE 365 SECURITY
bySylvain Martinez
 
PDF
Talk2 esc4 muscl-ids_v1_2
bySylvain Martinez
 
PDF
Talk1 esc3 muscl-standards and regulation_v1_1
bySylvain Martinez
 
PDF
Talk1 esc7 muscl-gdpr_debate_v1_2
bySylvain Martinez
 
PDF
SOCIAL MEDIA AS A CYBER WEAPON
bySylvain Martinez
 
PDF
ARE YOU RED TEAM READY?
bySylvain Martinez
 
PPTX
GDPR SECURITY ISSUES
bySylvain Martinez
 
DATA LOSS PREVENTION OVERVIEW
bySylvain Martinez
 
PHISHING PROTECTION
bySylvain Martinez
 
IOT Security
bySylvain Martinez
 
VIRTUAL CISO AND OTHER KEY CYBER ROLES
bySylvain Martinez
 
Mobile Security Assessment
bySylvain Martinez
 
PROGRAMMING AND CYBER SECURITY
bySylvain Martinez
 
Risk on Crypto Currencies
bySylvain Martinez
 
The Art of CTF
bySylvain Martinez
 
2019 CYBER SECURITY TRENDS REPORT REVIEW
bySylvain Martinez
 
INCIDENT HANDLING IN ORGANISATIONS
bySylvain Martinez
 
INTRODUCTION TO CRYPTOGRAPHY
bySylvain Martinez
 
Ethical Hacking
bySylvain Martinez
 
Talk1 esc7 muscl-dataprotection_v1_2
bySylvain Martinez
 
OFFICE 365 SECURITY
bySylvain Martinez
 
Talk2 esc4 muscl-ids_v1_2
bySylvain Martinez
 
Talk1 esc3 muscl-standards and regulation_v1_1
bySylvain Martinez
 
Talk1 esc7 muscl-gdpr_debate_v1_2
bySylvain Martinez
 
SOCIAL MEDIA AS A CYBER WEAPON
bySylvain Martinez
 
ARE YOU RED TEAM READY?
bySylvain Martinez
 
GDPR SECURITY ISSUES
bySylvain Martinez
 

Recently uploaded

PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
December Patch Tuesday
byIvanti
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
The year in review - MarvelClient in 2025
bypanagenda
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 

INCIDENT RESPONSE OVERVIEW

  • 1.
    INCIDENT RESPONSE OVERVIEW VERSION: 1.3a DATE:27/03/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ESC15-MUSCL CLASSIFICATION: PUBLIC {elysiumsecurity} cyber protection & response
  • 2.
    2 • Incident Response Overview; •Incident Response Life Cycle; • Rules of Engagement; • 1. Detection; • 2. Categorisation; • 3. Containment; • 4. Investigation; • 5. Remediation; • 6. Reporting; • 7. Learnings. • Generic Response Playbook; • Resources. CONTENTS PUBLIC GOING FURTHERRESPONSECONTEXT {elysiumsecurity} cyber protection & response
  • 3.
    3 THE GOAL OFINCIDENT RESPONSE IS TO FIRST CONTAIN THE THREAT, THEN REMEDIATE IT AND RECOVER FROM IT. EFFICIENT INCIDENT RESPONSE RELIES ON ITS INCIDENT MANAGEMENT FRAMEWORK: • CATEGORIES; • ROLES; • RESPONSABILITIES; • COMMUNICATION; • COORDINATION; • PLAYBOOKS; • SIMULATIONS; • ETC. PUBLIC {elysiumsecurity} cyber protection & response INCIDENT RESPONSE OVERVIEW GOING FURTHERRESPONSECONTEXT
  • 4.
    4 1. DETECTION 2. CATEGORISATION 3. CONTAINMENT 4.INVESTIGATION5. REMEDIATION 6. REPORTING 7. LEARNINGS PUBLIC {elysiumsecurity} cyber protection & response INCIDENT RESPONSE LIFE CYCLE GOING FURTHERRESPONSECONTEXT
  • 5.
    5 DO NOT ENGAGEOR INTERACT WITH THE HACKER/THREAT GROUP DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION PRESERVE EVIDENCE COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL DO NOT MAKE THINGS WORSE! PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 0. RULES OF ENGAGEMENT GOING FURTHERRESPONSECONTEXT
  • 6.
    6 WHO/WHAT DETECTED/REPORTED THE THREAT? WHATIS THE DATE AND TIME OF THE THREAT DETECTION/REPORT? HOW WAS THE THREAT DETECTED/REPORTED? HAS A SIMILAR THREAT ALREADY BEEN REPORTED? IS THE THREAT VALID? PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 1. DETECTION GOING FURTHERRESPONSECONTEXT
  • 7.
    7 WHO/WHAT IS THETARGET OF THE THREAT? IS THIS AN ON GOING/LIVE THREAT? WHAT IS THE IMPACT OF THE THREAT? CATEGORISE THE PRIORITY OF THE INCIDENT (P1, P2, P3) CLASSIFY THE INCIDENT COMMUNICATION (RESTRICTED/UNRESTRICTED) PUBLIC 1 2 3 4 5 DECLARE AN INCIDENT… OR NOT! {elysiumsecurity} cyber protection & response 2. CATEGORISATION GOING FURTHERRESPONSECONTEXT
  • 8.
    8 COORDINATE INCIDENT MANAGEMENT (TEAM,COMMS, ACTIVITIES, DOCUMENTATION) LIGHT AND QUICK THREAT ANALYSIS (NETWORK, HOST, USER) IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS (IP, PORTS, SIGNATURES, EMAIL, ETC) ISOLATE THE TARGETED ASSET (REMOVE FROM NETWORK, DISABLE ACCOUNT, ETC) IMPLEMENT EMERGENCY CHANGES AS REQUIRED (NETWORK, HOST, USER) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 3. CONTAINMENT GOING FURTHERRESPONSECONTEXT
  • 9.
    9 THREAT NETWORK ANALYSIS (F/W,CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM) THREAT MALWARE ANALYSIS (A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING) THREAT HOST ANALYSIS (EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VA TO BE DONE, SIEM) THREAT USER ANALYSIS (INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS) THREAT RESEARCH ANALYSIS (ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 4. INVESTIGATION GOING FURTHERRESPONSECONTEXT
  • 10.
    10 THREAT NETWORK REMEDIATION (BLOCKIP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES) THREAT MALWARE REMEDIATION (UPDATE HOST AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THAT DID NOT DETECT THE THREAT) THREAT HOST REMEDIATION (REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND DURING THE VA) THREAT USER REMEDIATION (INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT) DECLARE THE INCIDENT REMEDIATED PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 5. REMEDIATION GOING FURTHERRESPONSECONTEXT
  • 11.
    11 ON GOING REPORTING (DOCUMENTATIONAND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES) EVIDENCE GATHERING (THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE) INCIDENT DOCUMENTATION (THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE) INCIDENT REGISTER (CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS. CAN BE LINKED TO OTHER REGISTERS: RISKs/ISSUES) INCIDENT REPORT COMMUNICATION (AS REQUIRED: INTERNAL/EXTERNAL, STAFF/MANAGEMENT/BOARD, VENDORS/CLIENTS, GOVERNMENT/REGULATORS) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 6. REPORTING GOING FURTHERRESPONSECONTEXT
  • 12.
    12 ROOT CAUSE ANALYSIS (IDENTIFYAND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR) CONTROLS AND PROCESSES READINESS (EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT) INCIDENT TRENDS ANALYSIS (ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING?) MITIGATION PLAN (MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS) IMPROVEMENTS PLAN (STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 7. LEARNINGS GOING FURTHERRESPONSECONTEXT
  • 13.
    13 ANALYSIS PUBLIC CONTAINMENT/REMEDIATION NETWORK • BLOCK IP/PORTS/SERVICES; •BLOCK EMAIL; • CHANGE PWD MALWARE HOST • UPDATE A/V AND F/W RULES; • REMOVE MALWARE/SERVICES; • CHANGE PWD. • REMOVE SOFTWARE/PLUGIN; • UPDATE SECURITY CONFIGURATION; REMOVE SERVICES/LOCAL ADMIN. {elysiumsecurity} cyber protection & response GENERIC RESPONSE PLAYBOOK GOING FURTHERRESPONSECONTEXT
  • 14.
    14 Forum of IncidentResponse and Security Teams (FIRST) FRAMEWORK (https://www.first.org/education/FIRST_SIRT_Services_Framework_Version1.0.pdf) National Institute of Standards and Technology (NIST) Special Procedure (SP) 800-61 (https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf) International Organization for Standardization (ISO) ISO/IEC 27035-1:2016 (https://www.iso.org/standard/60803.html) International Organization for Standardization (ISO) ISO/IEC 27035-2:2016 (https://www.iso.org/standard/62071.html?browse=tc) CONTACT US! (contact@elysiumsecurity.com) PUBLIC {elysiumsecurity} cyber protection & response RESOURCES GOING FURTHERRESPONSECONTEXT
  • 15.
    {elysiumsecurity} cyber protection &response © 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.